1 / 25

Server-Aided Verification Protocols: Theory and Applications in Identification Schemes

This paper explores Server-Aided Verification (SAV) protocols, focusing on their theoretical framework and practical applications in identification schemes. The authors, Marc Girault and David Lefranc, present a comprehensive model highlighting the roles of prover, verifier, and server. Key elements include definitions of legitimate and misbehaving provers, security models for signature schemes, and an illustrative example demonstrating the protocols. The research also covers the first SAV protocols for pairing-based schemes and concludes with insights on auxiliary properties like completeness and soundness that enhance security.

felton
Télécharger la présentation

Server-Aided Verification Protocols: Theory and Applications in Identification Schemes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Server-Aided Verification : Theory and Practice Source: ASIACRYPT 2005, LNCS 3788, pp. 605-623 Author: Marc Girault and David Lefranc Presenter: Chun-Yen Lee

  2. Outline • Introduction • Model • SAV Protocols for Identification Schemes • First SAV Protocols for Pairing-Based Schemes • Conclusion

  3. Introduction Prover Verifier Server

  4. Outline • Introduction • Model • An Illustrative Example • Definitions • Security Model in the Case of Signature Scheme • SAV Protocols for Identification Schemes • First SAV Protocols for Pairing-Based Schemes • Conclusion

  5. An Illustrative Example • In this scheme,the signer computes a signature of the message m by extracting an root modulo n of f(m), where f is specific to the exact scheme which is used . • The verifier checks that • If the equality holds, is accepted; otherwise, it is rejected.

  6. An Illustrative Example server verifier

  7. An Illustrative Example server verifier

  8. An Illustrative Example • what about a possible collusion between a cheating prover and the server?

  9. An Illustrative Example cheater server verifier

  10. Outline • Introduction • Model • An Illustrative Example • Definitions • Security Model in the Case of Signature Scheme • SAV Protocols for Identification Schemes • First SAV Protocols for Pairing-Based Schemes • Conclusion

  11. Definitions • Definition 1(Legitimate/Misbehaving/Cheating) • P : prover • V : verifier • : a prover which deviates from the protocol • cheating • misbehaving • : aninteractive proof of knowledge between P and V

  12. Definitions • Definition 2(SAV protocol) • : aninteractive proof of knowledge between P and V, with a common input I of size|I|, and which halts by verifying a predicate . • if the predicate is satisfied • if not • : the computational cost of V

  13. Definitions • Definition 2(SAV protocol) • : aninteractive proof of knowledge between P , V and S(server), equal to the composition of two protocols • is equal to protocol without the verifiaction of ; • is an interactive protocol between V and S ; • V finally accepts or rejects I by verifying a final predicate • : the computational cost of V

  14. Definitions • Definition 2(SAV protocol) • The protocol is said to be a server-aided verification (SAV) protocol for if • 1.(auxiliary completeness)

  15. Definitions • Definition 2(SAV protocol) • The protocol is said to be a server-aided verification (SAV) protocol for if • 2.(auxiliary soundness) • 3.(computation gain) • The computational cost is strictly less than

  16. Definitions • Definition 2(SAV protocol) • The protocol is said to be a server-aided verification (SAV) protocol for if • If non-repudiation is required, must also verify: • (auxiliary non-repudiation)

  17. Outline • Introduction • Model • SAV Protocols for Identification Schemes • An Unconditionally-Unknown-Predicate-Based SAV Protocol • A Hard-to-Solve-Predicate-Based SAV Protocol • First SAV Protocols for Pairing-Based Schemes • Conclusion

  18. The Lim-Lee modification of the Schnorr identification scheme

  19. The Lim-Lee modification of the Schnorr identification scheme • Theorem 1. • Let I be a public key (g, p, q, v) and tthe security parameter for the Schnorr scheme. • The Lim-Lee protocol is a SAV protocol for the Schnorr Scheme if |q|>t and log2|I|=o(t).

  20. Definitions • Definition 2(SAV protocol) • The protocol is said to be a server-aided verification (SAV) protocol for if • 1.(auxiliary completeness)

  21. The Lim-Lee modification of the Schnorr identification scheme • Proof : • : • : Auxiliary completeness.

  22. The Lim-Lee modification of the Schnorr identification scheme

  23. The Lim-Lee modification of the Schnorr identification scheme • Auxiliary soundness. • The entropy over k is exactly equal to t. • k is unconditionally unknown • only one value k satisfies the final equation • : the probability is equal to 2-t • This probability is negligible if log2|I|=o(t)

  24. The Lim-Lee modification of the Schnorr identification scheme • Computational gain. • Schnorr scheme, |y|=|q| and |c|=|k|=t • = 1.5|q|+0.25|t| modular multiplications • Lim-Lee scheme • : 1.75t modular multiplications • multiplying by Z requires one more • = 1.75t+1modular multiplications • If we omit the negligible cost ( ) • If |q|>t,1.5(|q|-t)-1>0

  25. The Lim-Lee modification of the Schnorr identification scheme • Auxiliary non-repudiation • As the security of the SAV relies on the perfect privacy of k, i.e the unconditional security of the transformation over y. • even the misbehaving prover has no advantage over a cheater to determine this value k.

More Related